By Steve Ragan Apr 10, 2007, 10:30 GMT
NextSentry is a company that offers desktop security and compliance management to Enterprise level IT networks. The software they create helps network administrators manage both local and network wide policies. The product that is most often used is ActiveSentry, which offers unobtrusive desktop monitoring across a broad array of potential distribution methods including email, instant messaging, blogs, file transfer, printing, and removable storage devices such as USB drives, CDs, or iPods.
The subject of iPods and other mass storage devices is what their latest suggestion centers. They call it ‘Pocket Fraud,’ and predict that in regards to corporate loss and theft, Pocket Fraud will cause just as much damage if not more than any external threat. The company believes that the use of iPods for "Pod Slurping," MP3s, and even digital cameras with massive storage capacities will become the biggest Pocket Fraud assets for internal theft from rogue employees. As a result, NextSentry suggests corporations prohibit employees from using such devices until proper policy enforcement capabilities are in place in order to prevent data leaks.
According to NextSentry, mass storage devices like iPods, MP3s, and memory sticks are finding a place in the enterprise either to make employees happy or to increase productivity. This is true as several large companies give out iPods for training, and rewards for meeting goals, and other milestones. There is a report of National Semiconductor Corp spending close to $2.5 million on video iPods for training. With the average Word document averaging anywhere from 25K to 30K, in size a 20GB iPod could hold more than seven hundred fifty thousand documents. This point alone, NextSentry believes, should cause alarm for any company concerned about insider threats.
“Many employees enjoy listening to their iPods at work, but companies can't afford this luxury at the expense of leaking valuable customer data or intellectual property into the hands of criminals or competitors,” said Jim Hereford, CEO of NextSentry. “If you don't have proper policy enforcement capabilities in place to monitor the desktop and all removable media, even the CEO who loves their iPod could be stealing millions of dollars worth of data right underneath the chief security officer's nose.”
NextSentry includes several examples in their report about internal risks. Once such example comes from Ernst & Young, “...an insider attack against a large company causes an average of $2.7 million in damages.” Yet, in the financial services industry for example, “ninety percent of the money spent by banks on vendor-built fraud detection solutions is focused on detecting and mitigating external fraud, signaling an important overlook to the growing threat of internal security breaches,” NextSentry said in a statement.
Hereford continues, “Regardless if companies have spent millions of dollars on network security, encryption, malware, and authentication -- employees can still walk out the door with credit card numbers, social security numbers, and critical intellectual property on devices that fit in their pocket. The scary part is that it doesn't take a thug, felon or a terrorist, it's the inconspicuous employee working in absolute transparency at the desktop.”
The risk is there, but not at the level that NextSentry makes it out to be. The fact is they are right on the points made with regard to underused desktop policies and monitoring. Many IT firms overlook the simplest desktop policies that restrict the use of media devices like iPods and other external storage media.
Locking down the computers and allowing only the essential access to any employee is the first step in a hardened and secure network. Several products are available to protect a network form external threats, too many to count actually. The little things always end up being what trips up companies. Desktop policy enforcement is one of them.
Your Talkback on this Story